Two more accounts were compromised, these I found no obvious signs of brute force password guessing. One was used to send a large amount of spam last night, again getting us added to SpamCop and MailSpike blacklists.
I went through the logs, found 183 addresses belonging to this spammer botnet, and added them to our firewall.
This morning another account was used, this time only six addresses were involved, I added those to the firewall rule.
I’ve only been able to contact the second customer, but in his case he used the same password at many places. If you’ve been following the news, accounts at Twitter, Facebook, Yahoo, and Google have all been compromised in the last three months, so you can see the importance of using different passwords.
I am working on eliminating any opportunities for these folks to bash password guesses such as ssh, ftp, telnet, rlogin, etc. It will take some time to do this.
After I finish this I intend to run Crack on our password file to find any easily guessable passwords and notify customers of the need to change those.
All of this will not do any good however if the same good passwords are used at other sites which are not secured.